IoT malware starts showing destructive behavior

Hackers have started adding data-wiping routines to malware that’s designed to infect internet-of-things and other embedded devices. Two attacks observed recently displayed this behavior but likely for different purposes.

Researchers from Palo Alto Networks found that infects digital video recorders through a year-old vulnerability. Amnesia is a variation of an older IoT botnet client called Tsunami, but what makes it interesting is that it attempts to detect whether it’s running inside a virtualized environment.

The malware performs some checks to determine whether the Linux environment it’s running in is actually a virtual machine based on VirtualBox, VMware, or QEMU. Such environments are used by security researchers to build analysis sandboxes or honeypots.

Virtual machine detection has existed in Windows malware programs for years, but this is the first time when this feature has been observed in malware built for Linux-based embedded devices. If Amnesia detects the presence of a virtual machine it will attempt to wipe critical directories from the file system using the Linux “rm -rf” shell command in order to destroy any evidence they might have collected.

, aimed at IoT devices, that they’ve dubbed BrickerBot. This attack is launched from compromised routers and wireless access points against other Linux-based embedded devices.

The malware attempts to authenticate with common username and password combinations on devices that have the Telnet service running and are exposed to the internet. If successful, it launches a series of destructive commands intended to overwrite data from the device’s mounted partitions. It also attempts to kill the internet connection and render the device unusable.

While some devices might survive the attack because they use read-only partitions, many won’t and will need a firmware reflash. Also, any configurations will likely be lost and, in the case of routers with USB ports or network attached storage devices, data from external hard drives might also be wiped.

In fact, one of the BrickerBot attack variations is not even limited to embedded and IoT devices and will work on any Linux-based system that is accessible over Telnet, if it has weak or default credentials.

and affects more than 70 brands of DVRs (digital video recorders) — the systems that record video streams from CCTV cameras.

The reason why so many DVR models were affected is that the companies selling them under different brands actually sourced the hardware and the firmware from the same OEM (original equipment manufacturer) in China, a company called Shenzhen TVT Digital Technology.

This so-called “white labeling” practice is common for many IoT devices, including IP cameras and routers, and it makes the distribution of security patches to affected devices very hard. It’s also one of the reasons why many such devices don’t have automatic updates.

At the moment, there are more than 227,000 DVRs around the world that have this vulnerability and are directly exposed to the internet, according to Palo Alto Networks. The largest number of them are in Taiwan, the United States, Israel, Turkey, and India.

When buying a camera, router, NAS system, or other IoT device, users should look at the manufacturer’s security track record: Does the company have a dedicated point of contact for security issues? How has it handled vulnerabilities in its products in the past? Does it publish security advisories? Does it regularly release security patches? Does it support its products for a reasonable amount of time? Do the products have an automatic update feature?

The answers to these questions should inform buying decisions, in addition to the price itself, because all software has flaws, and vulnerabilities are regularly found in both cheap and expensive devices. It’s how manufacturers deal with those flaws that really makes a difference.